MAINE SECURITY BREACH REPORTING FORM 

Pursuant to the Notice of Risk to Personal Data Act 

_ (Maine Revised Statutes 10 M.R.S.A. §§ 1346-1350-B) _ 

Name and address of Entity that owns or maintains the computerized data that was subject to the breach: 

Burke Law, P.C. __ 

Street Address: 77 College Street, Suite 2C 

City: Burlington _State: VT Zip Code: 05401 _ 


Submitted by: Sue Friedberg 

Title: Legal Counsel 

Dated: 12/18/2018 ^ 

Firm Name (if other than entity): 

Buchanan Ingersoll & Rooney, PC 


Telephone: (412) 562-8436 

Email: sue.friedbergtsbipc.com 

Relationship to Entity whose information was compromised: Legal Counsel 


Type of Organization (please select one): [ ] Governmental Entity in Maine; [ ] Other Governmental Entity; 

[ ] Educational; [ ] Health Care; [ ] Financial Services; * [X] Other Commercial; [ ] Not-for-Profit; [ ] POS Vendor 


Number of Persons Affected: 

Total (including Maine residents): ^ _Maine Residents: 5 _ N 0 t Applicable 

If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified? [ ] Yes; [ ] No. 


Dates: Breach Occurred: 10/2/2018 Breach Discovered: 10/2/2018 Consumer Notification: 11/24/2018 


Description of Breach (please select all that apply): 

[ JLoss or theft of device or media (e.g., computer, laptop, external hard drive, thumb drive, CD, tape); 

[ JIntemal system breach; [ JInsider wrongdoing; |X] External system breach (e.g., hacking); [ ] in advertent disclosure; 
[ ]Other (specify):_ 


Information Acquired: Name or other personal identifier in combination with (please select all that apply): 
[] Social Security Number 

[XJDriver’s license number or non-driver identification card number 

[XjFinancial account number or credit or debit card number, in combination with the security code, access code, 
password, or PIN for the account 


Manner of Notification to Affected Persons - ATTACH A COPY OF THE TEMPLATE OF THE NOTICE TO 
AFFECTED MAINE RESIDENTS: See Exhibit A attached hereto. 

[X] Written; [ ] Electronic; [ ] Telephone; [ ] Substitute notice. 

List dates of any previous (within 12 months) breach notifications: Not Applicable _ 

Identity Theft Protection Service Offered : [ ] Yes; [X] No. 

Duration:_ Provider:_____ 

Brief Description of Service:_ 


*If reporting to Department of Professional and Financial Regulation, this form is not required. 10 
M.R.S.A. § 1348(5) 
















Exhibit A 


Template Notice Letters 

Please see attached. Clients of Burke Law, P.C. received a copy of the first notice letter attached 
hereto. Non-clients of Burke Law, P.C. received a copy of the second notice letter attached 
hereto. 




Burke Law 


Attorneys at Law 
Jessica Burke, Esq. 
Zachery Weight, Esq. 
Leah Henderson, Esq. 


«Date» 

«First_Name» «Middle_Name» «l_ast_Name» 

«Address_1» 

«Address_2» 

«City», «State» «Zip» 

Re: Notice of Data Breach 

Dear «First_Name»: 

We are writing to inform you of a recent incident that may have exposed to unauthorized access information 
that you, someone you know, or a third party provided to Burke Law, P.C. On October 2, 2018, we first 
learned that an unknown person may have accessed one of our employees’ email accounts without 
permission. The information contained in the email account may have included some of your personal 
information. 

We take this matter very seriously because the security of your personal information is very important to you 
and to us. As soon as we learned of this unauthorized access, we immediately launched an investigation to 
understand what happened and initiated actions to try to prevent something like this from happening again. 
We are providing this notice to you as a precautionary measure, to inform you of the incident and to explain 
some steps you can take to protect your information. At this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What Happened 

On October 2, 2018, we first learned that an unknown person may have accessed one of our employees’ 
email accounts without permission. We immediately engaged a leading cybersecurity forensic investigation 
firm to help identify which email accounts were compromised by the attack. At this time, based on the 
forensic investigation, we believe that the attack was contained to a single employee’s email account. Upon 
review of the emails potentially compromised in the attack, we determined that some of these emails 
contained personal information, which is why we are notifying you now. 

What Information Was Involved 


We believe that the information contained in the email account may have exposed your personal 
information, such as name, address, birthdate, driver’s license information, and medical information to the 
unknown person. The affected emails may also have contained confidential information about your legal 
matters. We have no reason to believe that the intruder was looking for that type of information, but rather 
was looking for information that can be used to falsify a person’s identity in order to operate a scam or credit 
fraud. We will notify you immediately if we have any concern that this breach may in any way compromise 
your legal position or the outcome of your matter. Again, at this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What We Are Doing 

As part of our investigation, we immediately reset account passwords, made them stronger, and now require 
more frequent password changes. To further enhance security, we added new security features to email 
accounts and strengthened our security monitoring. Additionally, we are assessing our security practices so 
that we are continually vigilant about cybersecurity threats and prepared for attacks. We will continue to 





educate our staff on how to avoid the tricks and tactics that unauthorized individuals may use to gain access 
to our email. 

What You Can Do 


As a precautionary measure, we advise you to take appropriate steps to protect your personal information. 
We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing and 
monitoring your account statements and free credit reports for any unauthorized activity. If you find 
unauthorized or suspicious activity, you should immediately contact your credit card company, financial 
institution, and/or law enforcement. By law, you are now entitled—at no charge—to place a credit freeze on 
all the credit agency reports about you, and to lift that freeze when you wish at no charge. Information about 
what to do to set up a credit freeze is available here: https://www.consumer.ftc.gov/bloq/2018/09/free- 
credit-freezes-are-here. 


For More Information 


Please contact us with any questions and concerns by calling (802) 318-8076 and leaving a message that 
references this letter. 

We sincerely apologize for any inconvenience and concern this incident has caused you. The security of 
your information is very important to us and we are committed to protect your information. 


Sincerely, 



Jessica Burke, Esq. 
Owner, Burke Law, P.C. 









Burke Law 


Attorneys at Law 
Jessica Burke, Esq. 
Zachery Weight, Esq. 
Leah Henderson, Esq. 


«Date» 

«First_Name» «Middle_Name» «l_ast_Name» 

«Address_1» 

«Address_2» 

«City», «State» «Zip» 

Re: Notice of Data Breach 

Dear «First_Name»: 

We are writing to inform you of a recent incident that may have exposed to unauthorized access information 
that you, someone you know, or a third party provided to Burke Law, P.C. On October 2, 2018, we first 
learned that an unknown person may have accessed one of our employees’ email accounts without 
permission. The information contained in the email account may have included some of your personal 
information. 

We take this matter very seriously because the security of your personal information is very important to you 
and to us. As soon as we learned of this unauthorized access, we immediately launched an investigation to 
understand what happened and initiated actions to try to prevent something like this from happening again. 
We are providing this notice to you as a precautionary measure, to inform you of the incident and to explain 
some steps you can take to protect your information. At this time, we have no information indicating that 
any of your information has been inappropriately used by anyone. 

What Happened 

On October 2, 2018, we first learned that an unknown person may have accessed one of our employees’ 
email accounts without permission. We immediately engaged a leading cybersecurity forensic investigation 
firm to help identify which email accounts were compromised by the attack. At this time, based on the 
forensic investigation, we believe that the attack was contained to a single employee’s email account. Upon 
review of the emails potentially compromised in the attack, we determined that some of these emails 
contained personal information, which is why we are notifying you now. 

What Information Was Involved 


We believe that the information contained in the email account may have exposed your personal 
information, such as name, address, birthdate, driver’s license information, and medical information to the 
unknown person. Again, at this time, we have no information indicating that any of your information has 
been inappropriately used by anyone. 

What We Are Doing 

As part of our investigation, we immediately reset account passwords, made them stronger, and now require 
more frequent password changes. To further enhance security, we added new security features to email 
accounts and strengthened our security monitoring. Additionally, we are assessing our security practices so 
that we are continually vigilant about cybersecurity threats and prepared for attacks. We will continue to 





educate our staff on how to avoid the tricks and tactics that unauthorized individuals may use to gain access 
to our email. 

What You Can Do 


As a precautionary measure, we advise you to take appropriate steps to protect your personal information. 
We recommend that you remain vigilant to the possibility of fraud and identity theft by reviewing and 
monitoring your account statements and free credit reports for any unauthorized activity. If you find 
unauthorized or suspicious activity, you should immediately contact your credit card company, financial 
institution, and/or law enforcement. By law, you are now entitled—at no charge—to place a credit freeze on 
all the credit agency reports about you, and to lift that freeze when you wish at no charge. Information about 
what to do to set up a credit freeze is available here: https://www.consumer.ftc.gov/bloq/2018/09/free- 
credit-freezes-are-here. 


For More Information 


Please contact us with any questions and concerns by calling (802) 318-8076 and leaving a message that 
references this letter. 

We sincerely apologize for any inconvenience and concern this incident has caused you. The security of 
your information is very important to us and we are committed to protect your information. 


Sincerely, 



Jessica Burke, Esq. 
Owner, Burke Law, P.C. 








